Compliance

On March 1, 2024, Singapore’s Ministry of Communications and Information announced[1] that a study would be launched to introduce a new piece of legislation, the Digital Infrastructure Act (DIA), to boost the resilience and security of key digital infrastructure and services in Singapore.Continue Reading Singapore to Pass New Law to Boost Digital Resilience

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

Biden Budget Proposal Advances AI Priorities | Privacy World

US Regulators Lift the Curtain on Data Practices With Assessment, Reporting

Originally posted on Squire Patton Boggs’ Capital Thinking blog by David StewartLudmilla Kasulke and Dominic Braithwaite.


On March 11, 2024, US President Joe Biden released his Fiscal Year (FY) 2025 budget request, which included proposals on U.S. Artificial Intelligence (AI) development and efforts to implement the Biden Administration’s Executive Order (EO) on AI. The budget identifies the National Science Foundation (NSF) as central to U.S. leadership in AI, requesting $10.2 billion in funding for the agency. $2 billion of that total would be dedicated to research and development (R&D) in accordance with CHIPS Act priorities, including AI, and $30 million would support the National AI Research Resource pilot program. The budget also requests $65 million for the Commerce Department “to safeguard, regulate, and promote AI, including protecting the American public against its societal risks.” This funding would include directing the National Institute of Standards and Technology (NIST) to establish the U.S. AI Safety Institute. The institute would be responsible for operationalizing “NIST’s AI Risk Management Framework by creating guidelines, tools, benchmarks, and best practices for evaluating and mitigating dangerous capabilities and conducting evaluations including red-teaming to identify and mitigate AI risk.” Further, the Department of Energy (DOE) Office of Science, which is responsible for implementing aspects of both the CHIPS Act and the AI EO, would receive $8.6 billion under the President’s proposed budget.Continue Reading Biden Budget Proposal Advances AI Priorities

Following the lead of Europe, four US states currently require businesses to conduct and document assessments to evaluate and mitigate risks in connection with new and ongoing personal data processing activities, and at least eight additional states will do so between now and the end of 2025. California, which applies its requirements beyond traditional consumers to human resources and business-to-business contexts, requires regulatory filings of assessments (which may end up being in abridged form). On March 8, draft California assessment regulations were moved forward toward preparation for public comment, as detailed here. All of the states give regulators the ability to inspect assessments, which must be retained for that purpose. These new obligations will raise the curtain on companies’ info governance practices for regulators, and thereby necessitate robust data protection programs that are more than “window dressing.” Regulators have been clear about their plans to move to more aggressive enforcement of new state privacy laws, as discussed here and here, and assessments will give them a roadmap to do so.Continue Reading US Regulators Lift the Curtain on Data Practices With Assessment, Reporting and Audit Requirements

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.

In Narrow Vote California Moves Next Generation Privacy Regs Forward | Privacy World

EDPB Versus Ireland? Does the Opinion on

The staff and board of the California Privacy Protection Agency (“CPPA”) have been working for nearly two years on a new set of proposed rulemaking under the California Consumer Privacy Act, as amended by the California Privacy Rights Act  (“CCPA”).  A year ago the current CCPA regulations were finalized, but several complex issues where reserved for further consideration and some proposals were pulled back to ease initial implementation.  Their enforcement was initially enjoined and delayed by a trial court, but a California appeals court reversed that order, including any delay on the effectiveness of future regulations.  New draft regulations were proposed by the CPPA staff and considered but not approved by the CPPA board in Q4 of 2023.  In February 2024 further revised draft regulations were released and considered on March 8 by the CCPA board, which voted 5 to 0 to move forward amendments to the existing regulations and, after a spirited debate, 3 (Urban, Le and Worthe for) to 2 (de la Torre and Mactaggert against) to also move forward with new draft regulations on data risk assessments and data driven technologies, with a direction to staff to add to the requirements for filing abridged assessments with the CPPA a discussion on what safeguards were employed to mitigate risks (with an exception for when disclosure would be a security risk).  In each case the staff was authorized to prepare the materials necessary under administrative procedures laws and regulations to publish a notice of prepared rulemaking, the publication which will be subject to a further Board vote after reviewing the rule making package.  The staff was also authorized to make further edits to the draft regulations to clarify text or conform with law.  Although the motions did not set a firm date for staff to complete that work, the discussions contemplate that it would be done by the July 2024 Board meeting at the latest.  That could result in effective regulations in Q3, though given the complexity and lack of Board consensus year-end is optimistic.Continue Reading In Narrow Vote California Moves Next Generation Privacy Regs Forward

On February 13, 2024, the European Data Protection Board (EDPB) released its opinion on the notion of the main establishment of a controller in the EU under article 4(16)(a) GDPR and the criteria for the application of the “one-stop shop” mechanism, in particular, regarding the notion of a controller’s “place of central administration” (PoCA) in

On March 8, 2024, the California Privacy Protection Agency (“CPPA” or “Agency”) Board (“Board”) will consider draft regulations that set forth how automated decisionmaking technology (“ADMT”) and profiling will be regulated under the California Consumer Privacy Act (“CCPA”).  The proposal includes the regulation of a new concept of “behavioral advertising” that is deemed “extensive profiling”

On February 21, the Administration announced an Executive Order (“EO”) aimed at strengthening cybersecurity at U.S. Ports. While not directly applicable to critical infrastructure entities in other sectors, the EO highlights the Administrator’s focus on critical infrastructure more broadly and sets forth steps that can be taken by all critical infrastructure operators to harden their cybersecurity posture.Continue Reading Executive Order on Maritime Cybersecurity Illuminates Path Forward for All Critical Infrastructure Operators

In case you missed it, below are recent posts from Privacy World covering the latest developments on data privacy, security and innovation. Please reach out to the authors if you are interested in additional information.Continue Reading Privacy World Week in Review